INTPYTHON-821 Add SBOM update automation #451
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,94 @@ | ||
| name: Generate SBOM | ||
|
|
||
| # This workflow uses cyclonedx-py and publishes an sbom.json artifact. | ||
| # It runs on manual trigger or when package files change on main branch, | ||
| # and creates a PR with the updated SBOM. | ||
| # Internal documentation: go/sbom-scope | ||
|
|
||
| on: | ||
| workflow_dispatch: {} | ||
| push: | ||
| branches: ['main'] | ||
| paths: | ||
| - 'pyproject.toml' | ||
| - 'requirements.txt' | ||
|
|
||
| permissions: | ||
| contents: write | ||
| pull-requests: write | ||
|
|
||
| jobs: | ||
| sbom: | ||
| name: Generate SBOM and Create PR | ||
| runs-on: ubuntu-latest | ||
| concurrency: | ||
| group: sbom-${{ github.ref }} | ||
| cancel-in-progress: false | ||
|
|
||
| steps: | ||
| - name: Checkout repository | ||
| uses: actions/checkout@v6 | ||
| with: | ||
| persist-credentials: false | ||
| - name: Set up Python | ||
| uses: actions/setup-python@v6 | ||
| with: | ||
| python-version: "3.10" | ||
|
Collaborator
There was a problem hiding this comment. Any reason not to use the latest version of Python?
Collaborator
There was a problem hiding this comment. I think the convention (in PyMongo at least) is to use the min, so right now we're dropping 3.9 and adding 3.10 in various places. I don't think we necessarily need to do that here but I also don't know if we gain anything by switching 3.13 or 3.14.
Collaborator
There was a problem hiding this comment. For tests, I understand. But this is just a utility script. The Python version won't affect the output, right? My thought was that if we use a later version we won't have to update it as often.
Author
There was a problem hiding this comment. The main reason for pinning is if the team ever plans to use older version of libraries that new version of python might not support. If this isn't a problem latest would be better like you said.
Collaborator
There was a problem hiding this comment. No, we wouldn't use such libraries. |
||
| - name: Generate SBOM | ||
| run: | | ||
| python -m venv .venv | ||
| source .venv/bin/activate | ||
| pip install -r requirements.txt | ||
| pip install . | ||
| pip uninstall -y pip setuptools | ||
| deactivate | ||
| python -m venv .venv-sbom | ||
| source .venv-sbom/bin/activate | ||
| pip install cyclonedx-bom==7.2.1 | ||
thanhnguyen-mdb marked this conversation as resolved.
Show resolved
Hide resolved
|
||
| cyclonedx-py environment --spec-version 1.5 --output-format JSON --output-file sbom.json .venv | ||
| # Add PURL for django-mongodb-backend (local package doesn't get PURL automatically) | ||
| jq '(.components[] | select(.name == "django-mongodb-backend" and .purl == null)) |= (. + {purl: ("pkg:pypi/django-mongodb-backend@" + .version)})' sbom.json > sbom.tmp.json && mv sbom.tmp.json sbom.json | ||
| - name: Download CycloneDX CLI | ||
| run: | | ||
| curl -L -s -o /tmp/cyclonedx "https://github.com/CycloneDX/cyclonedx-cli/releases/download/v0.29.1/cyclonedx-linux-x64" | ||
| chmod +x /tmp/cyclonedx | ||
| - name: Validate SBOM | ||
| run: /tmp/cyclonedx validate --input-file sbom.json --fail-on-errors | ||
| - name: Cleanup | ||
| if: always() | ||
| run: rm -rf .venv .venv-sbom | ||
| - name: Upload SBOM artifact | ||
| uses: actions/upload-artifact@v5 | ||
| with: | ||
| name: sbom | ||
| path: sbom.json | ||
| if-no-files-found: error | ||
| - name: Create Pull Request | ||
| uses: peter-evans/create-pull-request@v7 | ||
|
||
| with: | ||
| token: ${{ secrets.GITHUB_TOKEN }} | ||
| commit-message: 'Update SBOM after dependency changes' | ||
| branch: auto-update-sbom-${{ github.run_id }} | ||
| delete-branch: true | ||
| title: 'Update SBOM' | ||
| body: | | ||
| ## Automated SBOM Update | ||
|
|
||
| This PR was automatically generated because dependency manifest files changed. | ||
|
|
||
| ### Changes | ||
| - Updated `sbom.json` to reflect current dependencies | ||
|
|
||
| ### Verification | ||
| The SBOM was generated using cyclonedx-py with the current Python environment. | ||
|
|
||
| ### Triggered by | ||
| - Commit: ${{ github.sha }} | ||
| - Workflow run: ${{ github.run_id }} | ||
|
|
||
| --- | ||
| _This PR was created automatically by the [SBOM workflow](${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }})_ | ||
| labels: | | ||
| sbom | ||
| automated | ||
| dependencies | ||
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It's possible for these files to have changes that don't involve any dependency changes. Is there logic in this job that prevents a PR from being opened in this case? (I guess GitHub may disallow a PR with no changes, or possibly it would be closed immediately; just want to confirm.)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm not sure myself, but I would say that if it:
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Depending on the answer to #451 (comment), it might be better to simply make this part of the pre-release process.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If the file changes at all, it will trigger the action to run and make an sbom PR. you'd just see the dates/metadata of the sbom.json to be changed. In that scenario the team can just close the PR.
Our team does require that the master branch have an up-to-date sbom for tracking. I can definitely add the logic if you think it's worth the extra step (actions will still get ran regardless, but we'd just compare the sbom files to see if any components actually got changed)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If it's straightforward, I think it would be valuable to avoid useless PRs, especially if this script has to be applied to many repositories.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
And incidentally, we don't have any dependencies in
pyproject.toml(besides the optional ones for building the docs which your script doesn't install, so won't be detected anyway) so do we need to have this job watch that file?